New plugin: terraform login credential helper #583
Description
Platform or tool
terraform and opentofu
Relevant links
- https://developer.hashicorp.com/terraform/cli/config/config-file#credentials-helpers
- https://developer.hashicorp.com/terraform/internals/credentials-helpers
- https://opentofu.org/docs/v1.11/cli/config/config-file/#credentials-helpers
- https://opentofu.org/docs/v1.11/internals/credentials-helpers/
Goal or desired behavior
By default, terraform login or tofu login stores tokens on disk in plain text. Terraform/opentofu provides an interface for credential helpers to store these tokens in other secure systems, but there are no good implementations.
I want a credential helper that implements this interface to save tofu's tokens in a 1Password item.
It's not quite the same as other credentials I save in 1Password, since this token never has to be read or written by a human or copied to any other systems. It's just a secure way for tofu to write and read its own tokens. (When you do tofu login website.example it opens a web browser to the website's normal human login process, and that process generates a token which is given to tofu.) But I think 1Password is the right place for this because it's an existing secure system, and I'm already hooked into it for other tofu authentication I do (e.g. via the aws 1password plugin).
Contribution
- I'd be up for building the plugin myself.
Additional information
I believe this is an entirely different system than what the existing Terraform plugin covers.
Also related: The existing terraform plugin doesn't support opentofu #483
Open question: Should this be added to the existing terraform plugin, or should it be its own plugin?